10 files changed, 144 insertions, 72 deletions

diff --git a/roles/etcd/README.md b/roles/etcd/README.md
index 49207c428..329a926c0 100644
--- a/roles/etcd/README.md
+++ b/roles/etcd/README.md
@@ -7,7 +7,7 @@ Requirements
 ------------
 
 This role assumes it's being deployed on a RHEL/Fedora based host with package
-named 'etcd' available via yum.
+named 'etcd' available via yum or dnf (conditionally).
 
 Role Variables
 --------------
@@ -17,7 +17,7 @@ TODO
 Dependencies
 ------------
 
-None
+etcd-common
 
 Example Playbook
 ----------------
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index 0fb45f37c..2ec62c37c 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -1,31 +1,16 @@
 ---
-etcd_interface: eth0
+etcd_service: "{{ 'etcd' if not etcd_is_containerized | bool else 'etcd_container' }}"
 etcd_client_port: 2379
 etcd_peer_port: 2380
-etcd_peers_group: etcd
 etcd_url_scheme: http
 etcd_peer_url_scheme: http
-etcd_conf_dir: /etc/etcd
-etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt"
-etcd_cert_file: "{{ etcd_conf_dir }}/server.crt"
-etcd_key_file: "{{ etcd_conf_dir }}/server.key"
-etcd_peer_ca_file: "{{ etcd_conf_dir }}/ca.crt"
-etcd_peer_cert_file: "{{ etcd_conf_dir }}/peer.crt"
-etcd_peer_key_file: "{{ etcd_conf_dir }}/peer.key"
 
 etcd_initial_cluster_state: new
 etcd_initial_cluster_token: etcd-cluster-1
 
-etcd_initial_advertise_peer_urls: "{{ etcd_peer_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_peer_port }}"
-etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_peer_port }}"
-etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_client_port }}"
-etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_client_port }}"
+etcd_initial_advertise_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_port }}"
+etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_port }}"
+etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
+etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
 
 etcd_data_dir: /var/lib/etcd/
-
-os_firewall_use_firewalld: False
-os_firewall_allow:
-- service: etcd
-  port: "{{etcd_client_port}}/tcp"
-- service: etcd peering
-  port: "{{ etcd_peer_port }}/tcp"
diff --git a/roles/etcd/etcdctl.sh b/roles/etcd/etcdctl.sh
new file mode 100644
index 000000000..0e324a8a9
--- /dev/null
+++ b/roles/etcd/etcdctl.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# Sets up handy aliases for etcd, need etcdctl2 and etcdctl3 because
+# command flags are different between the two. Should work on stand
+# alone etcd hosts and master + etcd hosts too because we use the peer keys.
+etcdctl2() {
+ /usr/bin/etcdctl --cert-file /etc/etcd/peer.crt --key-file /etc/etcd/peer.key --ca-file /etc/etcd/ca.crt -C https://`hostname`:2379 ${@}
+}
+
+etcdctl3() {
+ ETCDCTL_API=3 /usr/bin/etcdctl --cert /etc/etcd/peer.crt --key /etc/etcd/peer.key --cacert /etc/etcd/ca.crt --endpoints https://`hostname`:2379 ${@}
+}
diff --git a/roles/etcd/files/etcdctl.sh b/roles/etcd/files/etcdctl.sh
new file mode 100644
index 000000000..0e324a8a9
--- /dev/null
+++ b/roles/etcd/files/etcdctl.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# Sets up handy aliases for etcd, need etcdctl2 and etcdctl3 because
+# command flags are different between the two. Should work on stand
+# alone etcd hosts and master + etcd hosts too because we use the peer keys.
+etcdctl2() {
+ /usr/bin/etcdctl --cert-file /etc/etcd/peer.crt --key-file /etc/etcd/peer.key --ca-file /etc/etcd/ca.crt -C https://`hostname`:2379 ${@}
+}
+
+etcdctl3() {
+ ETCDCTL_API=3 /usr/bin/etcdctl --cert /etc/etcd/peer.crt --key /etc/etcd/peer.key --cacert /etc/etcd/ca.crt --endpoints https://`hostname`:2379 ${@}
+}
diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml
index b897913f9..e00e1cac4 100644
--- a/roles/etcd/handlers/main.yml
+++ b/roles/etcd/handlers/main.yml
@@ -1,3 +1,5 @@
 ---
+
 - name: restart etcd
-  service: name=etcd state=restarted
+  service: name={{ etcd_service }} state=restarted
+  when: not (etcd_service_status_changed | default(false) | bool)
diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml
index 82b1a62b8..cfd72dfbc 100644
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -7,7 +7,7 @@ galaxy_info:
   description: etcd management
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.2
+  min_ansible_version: 2.1
   platforms:
   - name: EL
     versions:
@@ -16,4 +16,10 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- { role: os_firewall }
+- role: os_firewall
+  os_firewall_allow:
+  - service: etcd
+    port: "{{etcd_client_port}}/tcp"
+  - service: etcd peering
+    port: "{{ etcd_peer_port }}/tcp"
+- role: etcd_server_certificates
diff --git a/roles/etcd/tasks/etcdctl.yml b/roles/etcd/tasks/etcdctl.yml
new file mode 100644
index 000000000..32c176449
--- /dev/null
+++ b/roles/etcd/tasks/etcdctl.yml
@@ -0,0 +1,11 @@
+- name: Install etcd for etcdctl
+  action: "{{ ansible_pkg_mgr }} name=etcd state=present"
+  when: not openshift.common.is_atomic | bool
+
+- name: Configure etcd profile.d alises
+  copy:
+    src: etcdctl.sh
+    dest: /etc/profile.d/etcdctl.sh
+    mode: 0755
+    owner: root
+    group: root
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 79a91dfde..790eb3c5a 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,52 +1,81 @@
 ---
+- name: Set hostname and ip facts
+  set_fact:
+    # Store etcd_hostname and etcd_ip such that they will be available
+    # in hostvars. Defaults for these variables are set in etcd_common.
+    etcd_hostname: "{{ etcd_hostname }}"
+    etcd_ip: "{{ etcd_ip }}"
+
 - name: Install etcd
-  yum: pkg=etcd state=present
+  action: "{{ ansible_pkg_mgr }} name=etcd state=present"
+  when: not etcd_is_containerized | bool
 
-- name: Validate permissions on the config dir
+- name: Pull etcd container
+  command: docker pull {{ openshift.etcd.etcd_image }}
+  register: pull_result
+  changed_when: "'Downloaded newer image' in pull_result.stdout"
+  when: etcd_is_containerized | bool
+
+- name: Install etcd container service file
+  template:
+    dest: "/etc/systemd/system/etcd_container.service"
+    src: etcd.docker.service
+  register: install_etcd_result
+  when: etcd_is_containerized | bool
+
+- name: Ensure etcd datadir exists
+  when: etcd_is_containerized | bool
   file:
-    path: "{{ etcd_conf_dir }}"
+    path: "{{ etcd_data_dir }}"
     state: directory
-    owner: etcd
-    group: etcd
     mode: 0700
 
-- name: Validate permissions on certificate files
-  file:
-    path: "{{ item }}"
-    mode: 0600
-    group: etcd
-    owner: etcd
-  when: etcd_url_scheme == 'https'
-  with_items:
-  - "{{ etcd_ca_file }}"
-  - "{{ etcd_cert_file }}"
-  - "{{ etcd_key_file }}"
-
-- name: Validate permissions on peer certificate files
+- name: Check for etcd service presence
+  command: systemctl show etcd.service
+  register: etcd_show
+  changed_when: false
+  failed_when: false
+
+- name: Disable system etcd when containerized
+  when: etcd_is_containerized | bool and etcd_show.rc == 0 and 'LoadState=not-found' not in etcd_show.stdout
+  service:
+    name: etcd
+    state: stopped
+    enabled: no
+
+- name: Mask system etcd when containerized
+  when: etcd_is_containerized | bool and etcd_show.rc == 0 and 'LoadState=not-found' not in etcd_show.stdout
+  command: systemctl mask etcd
+
+- name: Reload systemd units
+  command: systemctl daemon-reload
+  when: etcd_is_containerized | bool and ( install_etcd_result | changed )
+
+- name: Validate permissions on the config dir
   file:
-    path: "{{ item }}"
-    mode: 0600
-    group: etcd
-    owner: etcd
-  when: etcd_peer_url_scheme == 'https'
-  with_items:
-  - "{{ etcd_peer_ca_file }}"
-  - "{{ etcd_peer_cert_file }}"
-  - "{{ etcd_peer_key_file }}"
+    path: "{{ etcd_conf_dir }}"
+    state: directory
+    owner: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
+    group: "{{ 'etcd' if not etcd_is_containerized | bool else omit }}"
+    mode: 0700
 
 - name: Write etcd global config file
   template:
     src: etcd.conf.j2
     dest: /etc/etcd/etcd.conf
+    backup: true
   notify:
     - restart etcd
 
 - name: Enable etcd
   service:
-    name: etcd
+    name: "{{ etcd_service }}"
     state: started
     enabled: yes
   register: start_result
 
-- pause: seconds=30
-  when: start_result | changed
+- include: etcdctl.yml
+  when: openshift_etcd_etcdctl_profile | default(true) | bool
+
+- set_fact:
+    etcd_service_status_changed: "{{ start_result | changed }}"
diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2
index 801be2c97..7ccf78212 100644
--- a/roles/etcd/templates/etcd.conf.j2
+++ b/roles/etcd/templates/etcd.conf.j2
@@ -1,43 +1,43 @@
 {% macro initial_cluster() -%}
-{% for host in groups[etcd_peers_group] -%}
+{% for host in etcd_peers | default([]) -%}
 {% if loop.last -%}
-{{ host }}={{ etcd_peer_url_scheme }}://{{ hostvars[host]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_peer_port }}
+{{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }}
 {%- else -%}
-{{ host }}={{ etcd_peer_url_scheme }}://{{ hostvars[host]['ansible_' + etcd_interface]['ipv4']['address'] }}:{{ etcd_peer_port }},
+{{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }},
 {%- endif -%}
 {% endfor -%}
 {% endmacro -%}
 
-{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
-ETCD_NAME={{ inventory_hostname }}
+{% if etcd_peers | default([]) | length > 1 %}
+ETCD_NAME={{ etcd_hostname }}
 ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }}
 {% else %}
 ETCD_NAME=default
 {% endif %}
 ETCD_DATA_DIR={{ etcd_data_dir }}
-#ETCD_SNAPSHOT_COUNTER="10000"
-#ETCD_HEARTBEAT_INTERVAL="100"
-#ETCD_ELECTION_TIMEOUT="1000"
+#ETCD_SNAPSHOT_COUNTER=10000
+ETCD_HEARTBEAT_INTERVAL=500
+ETCD_ELECTION_TIMEOUT=2500
 ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }}
-#ETCD_MAX_SNAPSHOTS="5"
-#ETCD_MAX_WALS="5"
-#ETCD_CORS=""
+#ETCD_MAX_SNAPSHOTS=5
+#ETCD_MAX_WALS=5
+#ETCD_CORS=
 
-{% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %}
+{% if etcd_peers | default([]) | length > 1 %}
 #[cluster]
 ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }}
 ETCD_INITIAL_CLUSTER={{ initial_cluster() }}
 ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }}
 ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }}
-#ETCD_DISCOVERY=""
-#ETCD_DISCOVERY_SRV=""
-#ETCD_DISCOVERY_FALLBACK="proxy"
-#ETCD_DISCOVERY_PROXY=""
+#ETCD_DISCOVERY=
+#ETCD_DISCOVERY_SRV=
+#ETCD_DISCOVERY_FALLBACK=proxy
+#ETCD_DISCOVERY_PROXY=
 {% endif %}
 ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }}
 
 #[proxy]
-#ETCD_PROXY="off"
+#ETCD_PROXY=off
 
 #[security]
 {% if etcd_url_scheme == 'https' -%}
diff --git a/roles/etcd/templates/etcd.docker.service b/roles/etcd/templates/etcd.docker.service
new file mode 100644
index 000000000..cf957ede8
--- /dev/null
+++ b/roles/etcd/templates/etcd.docker.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=The Etcd Server container
+After=docker.service
+Requires=docker.service
+PartOf=docker.service
+
+[Service]
+EnvironmentFile=/etc/etcd/etcd.conf
+ExecStartPre=-/usr/bin/docker rm -f {{ etcd_service }}
+ExecStart=/usr/bin/docker run --name {{ etcd_service }} --rm -v /var/lib/etcd:/var/lib/etcd:z -v /etc/etcd:/etc/etcd:z --env-file=/etc/etcd/etcd.conf --net=host --entrypoint=/usr/bin/etcd {{ openshift.etcd.etcd_image }}
+ExecStop=/usr/bin/docker stop {{ etcd_service }}
+SyslogIdentifier=etcd_container
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=docker.service